def main():
    from stix.coa import CourseOfAction, Objective
    from stix.common import Confidence
    from stix.core import STIXPackage
    from cybox.core import Observables
    from cybox.objects.address_object import Address

    pkg = STIXPackage()
    coa = CourseOfAction()
    coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
    coa.stage = "Response"
    coa.type_ = "Perimeter Blocking"

    obj = Objective()
    obj.description = "Block communication between the PIVY agents and the C2 Server"
    obj.applicability_confidence = Confidence("High")

    coa.objective = obj
    coa.impact = "Low"
    coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
    coa.cost = "Low"
    coa.efficacy = "High"

    addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
    coa.parameter_observables = Observables(addr)

    pkg.add_course_of_action(coa)

    print(pkg.to_xml(encoding=None))
示例#2
0
def main():
    from stix.coa import CourseOfAction, Objective
    from stix.common import Confidence
    from stix.core import STIXPackage
    from cybox.core import Observables
    from cybox.objects.address_object import Address

    pkg = STIXPackage()
    coa = CourseOfAction()
    coa.title = "Block traffic to PIVY C2 Server (10.10.10.10)"
    coa.stage = "Response"
    coa.type_ = "Perimeter Blocking"

    obj = Objective()
    obj.description = "Block communication between the PIVY agents and the C2 Server"
    obj.applicability_confidence = Confidence("High")

    coa.objective = obj
    coa.impact = "Low"
    coa.impact.description = "This IP address is not used for legitimate hosting so there should be no operational impact."
    coa.cost = "Low"
    coa.efficacy = "High"

    addr = Address(address_value="10.10.10.10", category=Address.CAT_IPV4)
    coa.parameter_observables = Observables(addr)

    pkg.add_course_of_action(coa)

    print pkg.to_xml()
示例#3
0
def add_coa_items(corrective_action_item, cost_corrective_action_item, pkg):
    coa = CourseOfAction()
    if corrective_action_item:
        coa.title = corrective_action_item
    if cost_corrective_action_item:
        cost = Statement()
        cost.value = map_cost_corrective_action_item_to_high_medium_low(cost_corrective_action_item)
        coa.cost = cost
    pkg.coa = coa
示例#4
0
def buildCoa(input_dict):
    # add incident and confidence
    coa = CourseOfAction()
    coa.title = input_dict['title']
    coa.description = input_dict['description']
    if input_dict['stage']:
        coa.stage = input_dict['stage']
    if input_dict['type']:
        coa.type = input_dict['type']
    if input_dict['objective']:
        coa.objective = Objective(input_dict['objective'])
    if input_dict['impact']:
        coa.impact = input_dict['impact']
    if input_dict['cost']:
        coa.cost = input_dict['cost']
    if input_dict['efficacy']:
        coa.efficacy = input_dict['efficacy']
    if input_dict['informationSource']:
        coa.information_source = InformationSource(input_dict['informationSource'])

    return coa
示例#5
0
# Basics
coa = CourseOfAction(
    title='Block traffic to Malicious C2 Server ({})'.format(ip))
coa.description = 'Maecenas sed diam eget risus varius blandit sit amet non magna.'
coa.short_description = 'Tristique Venenatis Tortor Mollis Vestibulum'

# Objective
obj = Objective()
obj.description = 'Block communication between the infected agents and the C2 Server'
obj.short_description = 'Block traffic'
obj.applicability_confidence = Confidence(HighMediumLow('High'))
coa.objective = obj

# Attributes
coa.impact = HighMediumLow('Medium')
coa.cost = HighMediumLow('Low')
coa.efficacy = HighMediumLow('High')
coa.stage = COAStage('Response')
coa.type_ = CourseOfActionType('Perimeter Blocking')

# Related Observable (by id)
addr = Address(address_value=ip, category=Address.CAT_IPV4)
observable = Observable(addr)
coa.parameter_observables = Observables(observables=Observable(
    idref=observable.id_))

# Related CoA (basic; by id)
coa2 = CourseOfAction(title='Block domain traffic to {}'.format(domain))
related_coa = RelatedCOA(CourseOfAction(idref=coa2.id_))
coa.related_coas.append(related_coa)